Today, at a keynote event for hybrid jobs using Windows, Microsoft revealed some of the security features that are coming to Windows 11. The Insider community probably already knows about most of them and may even utilize them in their day-to-day workflows, but Microsoft’s announcement today is about what will be rolled out across the board in “future releases” of the operating system.
First, we’ll see more PCs using Microsoft’s Pluton security chip to implement advanced security features from the hardware level. Interestingly, Microsoft emphasized that the Pluton will be the only chip product to be improved and updated through Windows Update. Pluton is optimized for Windows 11, the company said and underscored Microsoft’s investment in a chip-to-cloud security strategy.
Hypervisor Protected Code Integrity (HVCI) will also be enabled by default on more Windows 11 devices. This will protect the machine from infections and malicious drives. To this end, the Vulnerable Driver Block List will leverage the power of HVCI and Windows Defender Application Control (WDAC). This is kernel-level mitigation that will be enabled by default for machines using HVCI or Windows 11 SE.
Microsoft will also provide Smart App Control for new Windows 11 devices. This solution will go beyond the built-in browser protection to cover any unsigned malicious applications. Intelligent application control is powered by artificial intelligence, inferring from process signals every second to ensure that only safe applications are allowed to run. Unfortunately, existing Windows 11 will need to be reset and clean installed to take advantage of this feature.
Enhanced phishing detection and prevention with Microsoft Defender SmartScreen in Windows will alert users when credentials are inserted into malicious apps or websites. Likewise, Credential Guard, which leverages hardware-backed, virtualization-based security features, will be enabled by default in Windows 11. Additional Local Security Authority (LSA) protection to confirm the identity of corporate-connected Windows 11 PCs will also be the default for the OS going forward.
Personal data protection is also coming to Windows 11. In order to access privileged data, users will first need to authenticate with Windows Hello for Business, so even if the device is stolen or misplaced, malicious actors cannot access sensitive data. Finally, Microsoft is also reminding businesses to be aware of the configuration lock that already exists in Windows 11, which can be used to monitor registry keys to ensure they meet the baselines set by the business and the IT industry as a whole.